PyDivert is a powerful Python binding for WinDivert, a Windows driver that allows user-mode applications to capture, modify, and drop network packets sent to or from the Windows network stack.
- Capture network packets matching a specific filter.
- Modify packet headers and payloads on the fly.
- Drop unwanted packets.
- Inject new or modified packets into the network stack.
- Support for WinDivert 2.2+ advanced features (FLOW, SOCKET, and REFLECT layers).
- Bundled Binaries: No need to manually install WinDivert; the 64-bit DLL and driver are included.
- Python 3.10+ (64-bit)
- Windows 11 (64-bit)
- Administrator Privileges (required to interact with the WinDivert driver)
Note
Windows Server is currently untested but likely works if it meets the architecture requirements.
Install PyDivert using pip:
pip install pydivertOr using uv:
uv add pydivertThe main entry points are pydivert.WinDivert for capturing and pydivert.Packet for manipulation.
Tip
All code examples in this README are verified by automated integration tests in pydivert/tests/test_readme_examples.py.
import pydivert
# Capture only TCP packets to port 80 (HTTP requests)
with pydivert.WinDivert("tcp.DstPort == 80") as w:
for packet in w:
print(f"Captured: {packet}")
w.send(packet) # Re-inject the packet back into the stackWhen you call .recv() (or iterate over the WinDivert object), the packet is taken out of the Windows network stack. It will not reach its destination unless you explicitly call .send(packet).
You can easily modify packet headers and recalculate checksums automatically.
import pydivert
with pydivert.WinDivert("tcp.DstPort == 1234") as w:
for packet in w:
# Redirect traffic to port 80
packet.dst_port = 80
# WinDivert handles checksum recalculation by default when sending
w.send(packet)By simply not calling .send(packet), the packet is effectively dropped and never reaches its destination.
import pydivert
# Block all traffic from a specific IP address
with pydivert.WinDivert("ip.SrcAddr == 1.2.3.4") as w:
for packet in w:
print(f"Blocking packet from {packet.src_addr}")
# Packet is dropped hereYou can inspect or modify the raw bytes of the packet payload.
import pydivert
# Filter for TCP packets with payload
with pydivert.WinDivert("tcp.PayloadLength > 0") as w:
for packet in w:
if b"secret-token" in packet.payload:
print("Sensitive data detected!")
# Redact the token
packet.payload = packet.payload.replace(b"secret-token", b"REDACTED")
w.send(packet)Log detailed information about network flows.
import pydivert
with pydivert.WinDivert("tcp or udp") as w:
for packet in w:
direction = "OUT" if packet.is_outbound else "IN "
print(f"[{direction}] {packet.src_addr}:{packet.src_port} -> "
f"{packet.dst_addr}:{packet.dst_port} ({len(packet.payload)} bytes)")
w.send(packet)The pydivert.Packet object provides easy access to common protocol fields:
- IP Layer:
packet.src_addr,packet.dst_addr,packet.ip.ttl - TCP/UDP Layer:
packet.src_port,packet.dst_port - Payload:
packet.payload(bytes) - Metadata:
packet.is_inbound,packet.is_outbound,packet.interface,packet.timestamp
Detailed protocol headers are available through packet.ipv4, packet.ipv6, packet.tcp, packet.udp, and packet.icmp.
WinDivert supports different layers for capturing different types of traffic:
Layer.NETWORK(default): Captures IP packets.Layer.FLOW: Captures connection events (useful for logging connections without seeing every packet).Layer.SOCKET: Captures socket-level events.
from pydivert import WinDivert, Layer
with WinDivert("true", layer=Layer.FLOW) as w:
for event in w:
print(f"Connection event: {event}")You can customize the behavior using flags:
Flag.SNIFF: Capture packets without diverting them (they still reach their destination).Flag.DROP: Drop packets by default.Flag.OVERLAPPED: Use asynchronous (overlapped) I/O.
from pydivert import WinDivert, Flag
with WinDivert("tcp.DstPort == 80", flags=Flag.SNIFF) as w:
for packet in w:
print(f"Sniffed: {packet}")| PyDivert | WinDivert |
|---|---|
| 0.0.7 | 1.0.x or 1.1.x |
| 1.0.x | 1.1.8 (bundled) |
| 2.0.x | 1.1.8 (bundled) |
| 2.1.x | 1.3 (bundled) |
| 3.0.0+ | 2.2.2 (bundled) - Breaking changes for full 2.2 support |
PyDivert 3.0.0 introduces full support for WinDivert 2.2's advanced metadata, which required several backward-incompatible changes to the internal API:
- Packet Constructor: The
Packetclass's__init__now accepts additional metadata fields (layer,event,flow,socket,reflect). Theinterfaceparameter is now optional and defaults to(0, 0). - Internal Metadata: When receiving packets from non-
NETWORKlayers (likeFLOWorSOCKET), thePacketobject now preserves and allows re-injecting the full metadata structure. wd_addrProperty: This property now returns a fullWINDIVERT_ADDRESSfor any supported layer, not just the network layer.
If you are manually creating Packet objects or relying on the exact signature of the Packet constructor, you may need to update your code.
To set up a development environment:
- Clone the repository.
- Install dependencies:
uv sync --extra test --extra docs - Run tests (requires Admin):
uv run pytest
Since PyDivert requires Windows and Administrator privileges, you can use Vagrant to run the test suite on a Windows 11 virtual machine from a Linux or macOS host.
Prerequisites:
Steps:
-
Bring up the VM:
vagrant up
This will download a Windows 11 box, provision it with
uv, and install all necessary dependencies. -
Run the tests:
vagrant powershell -c '$env:UV_PROJECT_ENVIRONMENT="C:/pydivert_venv"; cd C:/pydivert; uv run pytest' -
Interactive Session: If you need to explore the environment manually:
vagrant powershell
The full API documentation is available at https://ffalcinelli.github.io/pydivert/.
PyDivert is dual-licensed under the LGPLv3 and GPLv2 licenses to match the WinDivert driver's licensing strategy. See the LICENSE file for more details.
